From 6090fd3457b1a300c332402f8c5d95f2365e53fb Mon Sep 17 00:00:00 2001 From: chadgeary Date: Tue, 17 Nov 2020 17:33:06 +0000 Subject: [PATCH] AWS support for client_cidrs alongside mgmt_cidr --- aws/aws-generic.tf | 5 +++++ aws/aws-security.tf | 22 ++++++++++++++++++++++ aws/aws.tfvars | 4 ++++ 3 files changed, 31 insertions(+) diff --git a/aws/aws-generic.tf b/aws/aws-generic.tf index 5acf7b2..177c3ee 100644 --- a/aws/aws-generic.tf +++ b/aws/aws-generic.tf @@ -29,6 +29,11 @@ variable "mgmt_cidr" { description = "Subnet CIDR allowed to access WebUI and SSH, e.g. /32" } +variable "client_cidrs" { + type = list + description = "List of subnets (in CIDR notation) granted access to DNS without VPN" +} + variable "vpn_cidr" { type = string description = "Subnet CIDR allowed to access the VPN, e.g. 0.0.0.0/0 for world access (enrollment still required)" diff --git a/aws/aws-security.tf b/aws/aws-security.tf index bc4b16e..a6a7313 100644 --- a/aws/aws-security.tf +++ b/aws/aws-security.tf @@ -40,6 +40,17 @@ resource "aws_security_group_rule" "ph-pubsg-mgmt-dnstcp-in" { cidr_blocks = [var.mgmt_cidr] } +resource "aws_security_group_rule" "ph-pubsg-client-dnstcp-in" { + count = length(var.client_cidrs) == 0 ? 0 : 1 + security_group_id = aws_security_group.ph-pubsg.id + type = "ingress" + description = "IN FROM CLIENT - DNS TCP" + from_port = "53" + to_port = "53" + protocol = "tcp" + cidr_blocks = var.client_cidrs +} + resource "aws_security_group_rule" "ph-pubsg-mgmt-dnsudp-in" { count = var.dns_novpn * 1 security_group_id = aws_security_group.ph-pubsg.id @@ -51,6 +62,17 @@ resource "aws_security_group_rule" "ph-pubsg-mgmt-dnsudp-in" { cidr_blocks = [var.mgmt_cidr] } +resource "aws_security_group_rule" "ph-pubsg-client-dnsudp-in" { + count = length(var.client_cidrs) == 0 ? 0 : 1 + security_group_id = aws_security_group.ph-pubsg.id + type = "ingress" + description = "IN FROM CLIENT - DNS TCP" + from_port = "53" + to_port = "53" + protocol = "udp" + cidr_blocks = var.client_cidrs +} + resource "aws_security_group_rule" "ph-pubsg-mgmt-wireguard-in" { security_group_id = aws_security_group.ph-pubsg.id type = "ingress" diff --git a/aws/aws.tfvars b/aws/aws.tfvars index 0593355..0e3b589 100644 --- a/aws/aws.tfvars +++ b/aws/aws.tfvars @@ -24,6 +24,10 @@ vpn_traffic = "dns" # a value of 1 permits mgmt_cidr access to DNS without the VPN dns_novpn = 1 +# additional client networks granted access pihole DNS without the VPN, example format: +# client_cidrs = ["127.0.0.1/32","8.8.8.8/32"] +client_cidrs = [] + ## UNCOMMON ## aws_region = "us-east-1"